Posted
by
samzenpus
on Thursday March 24, 2011 @07:04AM
from the what-do-we-have-here dept.

jhernik writes "More than half of second-hand mobile phones still contain personal information of the previous owner, posing a risk of identity fraud. A study found 247 pieces of personal data stored on handsets and SIM cards purchased from eBay and second-hand electronics shops. The information ranged from credit card numbers to bank account details, photographs, email address and login details to social networking sites like Facebook and Twitter. According to data security firm CPP, 81 percent of previous owners claim they have wiped personal data from their mobile phones and SIM cards before selling them. However, deleting the information manually is 'a process that security experts acknowledge leaves the data intact and retrievable.'"

Phone manufacturers and telcos are making the wiping much harder than it needs to be. I guess they do that because they don't make any money from you selling your phone second hand. This is especially true for iPhones and Android. Are Blackberry and Windows Phone 7 really the only phones that have complete wipe feature built-in? I dont even mean the usual delete, but actual multiple times overwriting. While it's more important for business users (and why RIM and Microsoft pay more attention to such details)

Actually...I'm kinda surprised, I'd never even ever thought about selling a cell phone after I've used it...is there really a market for this?

In the past, when my cell phone was off contract, it was usually so beat up, and outdated (2 main reasons I'd want to get a new one) I just usually chunk them in the trash. I kinda assumed most everyone did, I've never seen a used one before.

I supposed with more phones like the iPhone and Android ones that are smartphones, I can see a market for used ones...I guess

Didn't know that Microsoft makes computers. But you are aware that most people who don't understand computers, use Windows, right? "Oh, perhaps the printer didn't hear me. I'll just hit the print button again."

It would not shock me if Microsoft took security more seriously than Apple.

Microsoft products are the target of more attacks.

Microsoft has more business customers.

I just got a new phone and have no idea if I successfully deleted everything from my old phone. It seems clean, but maybe I should just take it apart into little pieces and be done with it. I usually leave old phones in the donation bin at work, though.

Also remember that the iPhone jailbreaks are actually remote exploits run on a website. iPhones are basically completely rooted just by visiting a website. Great security there, tho Apple users are posting is a "good" thing as it allows them to root their phone.

I bet he thinks he's being subtle. He has been getting better sometimes, but now that we know to expect it, it's going to stay pretty obvious. I won't be able to take any new users seriously for a while..

I don't know about the WM7 implementation, but multiple times overwriting is hit and miss on flash media due to the wear levelling algorithm.Unless the chip directly supports it, multiple overwrites simply spread the writes on different sectors.

True... if you zero all memory in a solid block, it is effectively gone; no need to rewrite. If you zero only some memory, the wear leveling will kick in, and you might not actually have cleared the bits you meant to clear.

Actually it's trivially easy to wipe an iPhone. Dunno about Android, though I assume they have the same feature, but on an you can set up an iPhone to self wipe after four failed PIN attempts. That's right, if for some reason you can't figure out who to use the large "reset to factory default condition" button in iTunes, you can turn on the PIN function and force it to wipe itself after four failed attempts. But hey, it's a lot easier to bash products you know nothing about than to actually post accurate

What evidence do you have the iPhones (or Android phones for that matter) still have accessible data after a wipe? I've not heard this before. Regardless, the article is *not* about "securely" wiping the phone. It's about people foolishly trying to manually wipe a phone and missing stuff. Given that this is the only story you've *ever* commented on, and the fact that you're clearly spining facts, I'm inclined to believe the AC above who accuses you of being an astroturfer.

Maybe they should do like the iPhone then. Encrypt everything by default and when you're done with it it erases the private key - all data unreadable in under a second. I don't know where GP comes from that Apple can't but Apple is the ONLY device besides the newer Androids and some old BB's that has it and does it reliably/remotely. Many businesses actually choose iPhone over other devices (even Windows) because of the Enterprise features.

iPhones, especially the iPhone 4, have a decent erase mechanism which allows for a secure method of zeroing it out. When the device is told to erase itself, it just zeroes out the master key and replaces it with another from a cryptographically secure RNG. This is a quick, but secure way of ensuring that the data on the device is rendered inaccessible.

Just to be safe, if I were packaging an iPhone up for resale, after doing an erase from the Settings menu, I would do a DFU restore of the firmware as well,

Wasn't there a recent article on/. explaining how it was almost impossible to delete the data from flash ram?

I have proof there wasn't.

The entire flash storage on these devices is encrypted. The keys used to decrypt the drive on the fly, also stored on flash, can be overwritten quickly. Everything else on the drive looks like random numbers and 0s after the crypto keys are wiped.

Blackberry also securely wipes all user data if an incorrect unlock password is entered 10 (or fewer; configurable) times. The

I guess they do that because they don't make any money from you selling your phone second hand. This is especially true for iPhones and Android. Are Blackberry and Windows Phone 7 really the only phones that have complete wipe feature built-in?

iPhones have wipe capability as well - there's a standard option in the settings menu for it. This I think was an option since iOS 3 which added Exchange support (where it also adds remote-wipe capability)

When I gave my old phone to my mother, I went into setup and selected "factory reset". That's it, phone wiped. I then took out the SIM card, with my contact list, and moved it to my new phone, and put her SIM card into the phone instead.

That was a Samsung SGH-Z500, but as far as I know, every phone I've had has had a factory reset option. I even used it several times on my old Nokia 9110 company phone, although for other reasons (you'd think that phone was running Windows ME).

i bought a cellphone 3 years ago, and i will continue using it until it breaks, then i will smash it with an 8 pound sledge hammer against an anvil until it is a shredded pulp, then i will sweep up the pieces and put it in the trash, good luck trying to get any info off of it after that...

The main problem here isn't that people aren't deleting their data, it's that phones don't come with block-level or at least filesystem-level encryption for all data by default. If you're marketing something to everyone, including the idiots, you should make it idiot-proof.

> Encryption is only effective if you require the user to enter a pass phrase every time he needs access.

That's not how you would use encryption here.

You would encrypt most of the desk with a randomly-generated key stored in the unencrypted part.When the user of the phone then selects "Delete Everything!", you generate a new key and overwritethe old. That really will get rid of the old data.

How about a fairly accessible mandatory wipe option being required in new models? Might require SIM to be taken out first. Not too hard surely. Probably easier to do in Europe though... cell phone companies would need pushing.

If your data is stored on chip or CDs, just nuke it. All it takes is a solid 10 seconds in the microwave ~ on high. Of course, I bare no responsibility for any toxic fumes that may be released. You've been warned.

When you look at most phones (especially the pre-smart phone units), there are not easy ways to wipe it back to factory settings. There's no easy way to check if "wipe factory settings" really deleted the data or just removed pointers to the data. There is no sim to pull. And thus, there's no obvious way for the average consumer to dispose of their personal information other than to destroy the phone itself.

I bought my latest (used) car just over a year ago. It has a bluetooth handsfree system built in.

Imagine my surprise when I tried to call home one day to find that i was hearing a stranger's voice on the answering machine! Apparently the previous owner programmed her "Home" number into the car itself rather than accessing the address book from her device.

Why would you sell your SIM card? That's what the buyer needs to get from the carrier in order to activate the phone. If you sell your SIM card then it's not a case of data loss but an ignorant person.

...With the chorus of responses above. Every time I get a new phone I have to go through a goddamn voodoo ritual of clicking around on Google for a couple of hours trying to figure out where the phone manufacturer and/or the original carrier of the phone decided to hide, password protect, lock out, or otherwise attempt to obscure the method for doing a "master reset" or full wipe of the phone's data. I think in the USA this problem is compounded by the ubiquity of contract phones -- non-nerds can basically